12-03-2015 05:17 AM - edited 03-05-2019 02:51 AM
Greetings,
My question is about what type of NAT to use in this scenario. I usually don't do NAT in my configurations, unless I'm implementing the typical private to public internet one to many situation. The internet network I created is currently routable across my network, however, the customer has assigned another private block which I'm currently using at another location. I would like to know if it's easier to do a one to one or easier to do a one to many instance of NAT translation. I would like to keep using my private space I've already assigned, mask their private with one of mine. is this possible?
Example: 10.41.244.0 /27 -> NAT translate (1:1 or 1:Many) -> 10.160.0.0/27 -> VPN Inside Tunnel -> Inside Servers then back to the customer site in reservse order.
Any advice will be helpful.
Thanks,
Andrew
12-03-2015 05:41 AM
Hello,
If you campare them in terms of being easy or difficult, both of them are easy.
It is depending on whether you are going to have policy per IP or not, because if you do 1:many NAT, you will only see one IP other side of the network so implementing policy per IP is not possible. Static NAT is also possible, but you need to configure about 30 lines of NAT since your prefix is /27. I am suggesting to configure 1:many nat if you do not have specific requirement to put policy per IP.
Let me know if you need an example.
Hope it helps,
Masoud
12-03-2015 05:48 AM
Please, an example would be great. I just went over the static NAT and your right, however, I don't adding in the extra lines though.
Thanks,
Andrew
12-03-2015 06:02 AM
Do you have any NAT configure on you router? Do you need an example of static NAT or dynamic?
Masoud
12-03-2015 06:15 AM
Static please. Right now I'm don't have any NAT configured on the router, I usually just route the private space I reserve for the customer back to our network over an IPSec tunnel. This new site, the customer is wanting to control DHCP and this is the reason why I would like to translate thier IP scheme to mine when it needs to go out the tunnel, then route it back through the tunnel and translate to its orignal customer IP.
Thanks in advance,
Andrew
12-03-2015 06:24 AM
I supposed
interface fa0/0 is connected to you customer (outside of your network)
interface fa1/0 is connected to VPN tunnel and your server (inside of your network)
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
interface FastEthernet1/0
ip address 2.1.1.1 255.255.255.0
ip nat inside
!
ip nat outside source static 10.41.244.1 10.160.0.1
ip nat outside source static 10.41.244.2 10.160.0.2
ip nat outside source static 10.41.244.3 10.160.0.3
and so on
IPs on the interfaces can be any IP addresses. It does not have be the same as IPs in your NAT statement.
Masoud
12-03-2015 07:28 AM
Perfect, very easy to follow. Would that also work in reverse order or would I have to create and NAT in to translate my network back to the customer network when I send that traffic back to that customer interface?
12-03-2015 07:33 AM
No, you do need to do that. It will work in reverse order as well. Just make sure your routing works correctly.
1-route 10.160.0.0/27 to NAT router on your servers and tunnel.
2-route 10.41.244.0 /27 to outside on your NAT router.
Masoud
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide